Analysis
-
max time kernel
124s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
13-01-2023 06:17
Static task
static1
Behavioral task
behavioral1
Sample
Document_158_Copy_01-12/POV_Document_01-12.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Document_158_Copy_01-12/POV_Document_01-12.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Document_158_Copy_01-12/badpitdewy/amppopecun.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Document_158_Copy_01-12/badpitdewy/amppopecun.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
Document_158_Copy_01-12/badpitdewy/revealing.dll
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
Document_158_Copy_01-12/badpitdewy/revealing.dll
Resource
win10v2004-20220812-en
General
-
Target
Document_158_Copy_01-12/POV_Document_01-12.lnk
-
Size
1KB
-
MD5
be3451f6c620e115eac1d6351f2424ec
-
SHA1
46953a49fbf72118db891cbe512184ae5063c9b0
-
SHA256
c60e0ac814cf9e6b745be36c16d493f5eeda0a31e8463db4419f2bd8d9c081ee
-
SHA512
b29488f1bd7ade2021787f594fa3161460505a3771c155620a03d25e3946ed4c62e1aec2629449c4677f54829d615331b225759155e5e11dbf3dcb0d175c187e
Malware Config
Extracted
icedid
1387823457
allertmnemonkik.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1524 rundll32.exe 4 1524 rundll32.exe 5 1524 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1524 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1524 rundll32.exe 1524 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 832 wrote to memory of 1692 832 cmd.exe cmd.exe PID 832 wrote to memory of 1692 832 cmd.exe cmd.exe PID 832 wrote to memory of 1692 832 cmd.exe cmd.exe PID 1692 wrote to memory of 1844 1692 cmd.exe xcopy.exe PID 1692 wrote to memory of 1844 1692 cmd.exe xcopy.exe PID 1692 wrote to memory of 1844 1692 cmd.exe xcopy.exe PID 1692 wrote to memory of 1524 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 1524 1692 cmd.exe rundll32.exe PID 1692 wrote to memory of 1524 1692 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Document_158_Copy_01-12\POV_Document_01-12.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c badpitdewy\amppopecun.cmd A B C D E F G H I J K L M N O P k R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h badpitdewy\revealing.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\revealing.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\revealing.datFilesize
189KB
MD5c9f3dd6dddcd3beb7070d9f915219034
SHA1c3f080523dc1b8c444742f372b9d212743b8a503
SHA25665281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984
SHA51241c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b
-
\Users\Admin\AppData\Local\Temp\revealing.datFilesize
189KB
MD5c9f3dd6dddcd3beb7070d9f915219034
SHA1c3f080523dc1b8c444742f372b9d212743b8a503
SHA25665281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984
SHA51241c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b
-
memory/832-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/1524-94-0x0000000000000000-mapping.dmp
-
memory/1524-97-0x00000000000A0000-0x00000000000A9000-memory.dmpFilesize
36KB
-
memory/1692-89-0x0000000000000000-mapping.dmp
-
memory/1844-93-0x0000000000000000-mapping.dmp